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Contract/Grant  Title:  A  Unified  Algebraic  &  Logic-Based  Framework  Towards  Safe 

Routing  Implementations 

Contract/Grant  #:  FA9550-12-1-0327 

Principle  Investigator:  Boon  Thau  Loo 

Reporting  Period:  15  Jun  2014  to  14  Jun  2015  (Final  Report) 

1.0  Highlights  in  the  previous  year  (15  Jun  2015  -  14  Jun  2015) 

In  the  past  year,  we  have  focused  on  two  aspects  of  work.  First,  we  applied  concepts 
developed  in  the  first  two  years  in  the  domain  of  Software-defined  Networks  (SDN).  We 
developed  a  declarative  platform  for  implementing  SDN  protocols  using  declarative 
networking  programs  that  can  be  automatically  verified  for  correctness.  Second,  we  have 
also  developed  a  declarative  platform  for  automatically  synthesizing  SDN  protocols  from 
example  scenarios. 

Declarative  network  verification.  Networks  are  complex  systems  that  unfortunately  are 
ridden  with  errors.  Such  errors  can  lead  to  disruption  of  services,  which  may  have  grave 
consequences.  Verification  of  networks  is  key  to  eliminating  errors  and  building  robust 
networks.  Over  the  past  year,  we  propose  an  approach  to  verify  networks  using 
declarative  networking,  where  networks  are  specified  in  Network  Datalog,  a  declarative 
language.  We  focus  on  analyzing  safety  properties.  We  have  developed  a  technique  to 
statically  analyze  NDlog  programs:  first,  we  build  a  dependency  graph  of  the  predicates 
of  NDlog  programs;  then,  we  build  a  summary  data  structure  called  a  derivation  pool  to 
represent  all  possible  derivations  and  their  associated  constraints  for  predicates  in  the 
program;  finally,  properties  specified  in  first-order  logic  are  checked  on  the  data  structure 
with  the  help  of  the  SMT  solver  Z3.  We  build  a  prototype  tool  and  demonstrate  the 
effectiveness  of  the  tool  in  validating  and  debugging  several  SDN  applications. 

Example-based  SDN  synthesis.  Recent  emergence  of  software-defined  networks  offers 
an  opportunity  to  design  domain-specific  programming  abstractions  aimed  at  network 
operators.  We  propose  scenario-based  programming,  a  framework  that  allows  network 
operators  to  program  network  policies  by  describing  representative  example  behaviors. 
Given  these  scenarios,  our  synthesis  algorithm  automatically  infers  the  controller  state 
that  needs  to  be  maintained  along  with  the  flowtable  rules  to  process  network  events  and 
update  state.  We  have  developed  the  NetEgg  scenario-programming  tool,  which  can 
execute  the  generated  policy  implementation  on  top  of  a  centralized  controller,  but  also 
automatically  infers  rules  that  can  be  pushed  to  switches  to  improve  throughput.  We 
study  a  range  of  policies  considered  in  the  literature  and  report  our  experience  regarding 
specifying  these  policies  using  scenarios.  We  evaluate  NetEgg  based  on  the 
computational  requirements  of  our  synthesis  algorithm  as  well  as  the  overhead  introduced 
by  the  generated  policy  implementation.  Our  results  show  that  our  synthesis  algorithm 
can  generate  policy  implementations  in  seconds,  and  the  automatically  generated  policy 
implementations  have  performance  comparable  to  their  handcrafted  implementations. 
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2.0  Summary  of  research  (15  Jun  2012  -  14  Jun  2015) 


Over  the  past  three  years,  we  carried  out  several  areas  of  work  that  aims  to  unify 
algebraic  and  logic-based  framework  for  Safe  Routing  Implementations.  The  original 
basis  of  our  work  started  from  the  Formally  Safe  Routing  (FSR)  toolkit.  The  FSR  toolkit 
attempts  to  bridge  the  gap  in  formal  reasoning  and  distributed  implementations,  by 
unifying  research  in  routing  algebras  with  recent  advances  in  declarative  networking  to 
produce  provably  correct  distributed  implementations.  Specifically,  FSR  automates  the 
process  of  analyzing  routing  configurations  expressed  in  algebra  for  safety  (i.e. 
convergence)  using  SMT  solvers,  and  automatically  compiles  routing  algebra  into 
declarative  routing  implementations. 

Based  on  the  FSR  toolkit,  we  have  worked  on  the  following  areas  of  work: 

BGPVerif  -  To  scale  up  formal  analysis  on  Internet  routing  systems,  we  propose  a  novel 
scalability  technique,  called  network  reduction,  by  exploring  the  networking  problem 
space.  Based  on  network  reduction,  we  build  a  formal  analysis  toolkit  BGPVerif,  which 
enables  networking  researchers  to  study  and  analyze  large  BGP  (Border  Gateway 
Protocol)  systems  in  a  sound  and  automatic  fashion.  Central  to  BGPVerif  is  a  network 
reduction  engine  for  rewriting  policy  configurations  into  smaller  and  simpler  forms,  and 
an  automatic  analyzer  for  performing  analysis  on  the  BGP  instance.  In  network  reduction, 
we  provide  two  types  of  reduction  rules  that  transform  policy  configurations  by  merging 
duplicate  and  complementary  router  configurations  to  simplify  analysis.  We  show  that 
the  network  reductions  are  sound,  dual  of  each  other  and  are  locally  complete.  The 
reductions  are  also  computationally  attractive,  requiring  only  local  configuration 
information  and  modification.  We  have  developed  a  prototype  of  network  reduction  and 
demonstrated  that  it  is  applicable  on  various  BGP  systems  and  enables  significant  savings 
in  analysis  time.  In  addition  to  making  possible  safety  analysis  on  large  networks  that 
would  otherwise  not  complete  within  reasonable  time,  network  reduction  is  also  a  useful 
tool  for  discovering  possible  redundancies  in  BGP  systems.  BGPVerif  appeared  at 
Infocom  2014,  and  together  with  the  earlier  FSR  work,  formed  the  basis  of  Anduo 
Wang’s  PhD  dissertation  work. 


SDN  verification  and  synthesis  —  We  explored  a  formal  synthesis  approach  for 
managing  SDNs.  With  the  tremendous  growth  of  the  Internet  and  the  emerging  SDN 
infrastructure,  there  is  an  increasing  need  for  rigorous  and  scalable  network  management 
methods  and  tool  support.  We  explore  a  synthesis  approach  for  managing  software- 
defined  networks.  We  formulate  the  construction  of  network  control  logic  as  a  reactive 
synthesis  problem,  which  is  solvable  with  existing  synthesis  tools.  The  key  idea  is  to 
synthesize  a  strategy  that  manages  control  logic  in  response  to  network  changes  while 
satisfying  some  network-wide  specification.  Finally,  we  investigate  network  abstractions 
for  scalability.  For  large  networks,  instead  of  synthesizing  control  logic  directly,  we  use 
its  abstraction-a  smaller  network  that  simulates  its  behavior-for  synthesis,  and  then 
implement  the  synthesized  control  on  the  original  network  while  preserving  the 


DISTRIBUTION  A:  Distribution  approved  for  pubiic  reiease 


correctness.  By  using  the  so-called  simulation  relations,  we  also  prove  the  soundness  of 
this  abstraction-based  synthesis  approach. 


An  initial  version  of  this  work  appeared  in  the  WRiPE  2013.  We  have  since  extended  this 
to  the  scenario-based  programming  platform  called  NetEgg  described  earlier  in  Section  1 
in  this  report.  NetEgg  appeared  in  ACM  HotNets  2014,  and  a  paper  is  under  submission 
to  CoNEXT  2015. 


FixRoute  toolkit  -  The  EixRoute  toolkit  extends  ESR  by  incorporating  numerical 
optimizations,  to  ensure  safe  routing  implementations  that  meet  traffic  engineering  goals. 
EixRoute  is  motivated  by  the  fact  that  the  performance  of  networks  that  use  the  Internet 
Protocol  is  sensitive  to  precise  configuration  of  many  low-level  parameters  on  each 
network  device.  These  settings  govern  the  action  of  dynamic  routing  protocols,  which 
direct  the  flow  of  traffic;  in  order  to  ensure  that  these  dynamic  protocols  all  converge  to 
produce  some  ’optimal’  flow,  each  parameter  must  be  set  correctly.  Multiple  conflicting 
optimization  objectives,  non-determinism,  and  the  need  to  reason  about  different  failure 
scenarios  make  the  task  particularly  complicated.  We  present  a  fast  and  flexible  approach 
for  the  analysis  of  a  number  of  such  management  tasks  presented  in  the  context  of  BGP 
routing.  The  idea  is  to  combine  logical  satisfiability  criteria  with  traditional  numerical 
optimization,  to  reach  a  desired  traffic  flow  outcome  subject  to  given  constraints  on  the 
routing  process.  The  method  can  then  be  used  to  probe  parameter  sensitivity,  trade-offs  in 
the  selection  of  optimization  goals,  resilience  to  failure,  and  so  forth.  The  theory  is 
underpinned  by  a  rigorous  abstraction  of  the  convergence  of  distributed  asynchronous 
message-passing  protocols,  and  is  therefore  generalizable  to  other  scenarios.  Our 
resulting  hybrid  engine  is  faster  than  either  purely  logical  or  purely  numeric  alternatives, 
making  it  potentially  feasible  for  interactive  production  use.  An  earlier  version  of 
EixRoute  (called  Route  Sherperd)  was  demonstrated  at  SIGCOMM  2012  and  a  paper  on 
EixRoute  is  currently  under  submission  at  Infocom  2016. 


Declarative  network  verification  -  Our  fourth  area  of  focus  is  on  generating  provably 
correct  network  implementations  using  declarative  networking  techniques.  See  Section 
1.0  for  details.  Work  on  this  area  appeared  in  PPDP  2015. 


Declarative  secure  network  verification  -  Our  fifth  area  of  work  is  in  extending  the 
declarative  network  verification  work  in  the  security  arena.  The  Internet,  as  it  stands 
today,  is  highly  vulnerable  to  attacks.  However,  little  has  been  done  to  understand  and 
verify  the  formal  security  guarantees  of  proposed  secure  inter-domain  routing  protocols, 
such  as  Secure  BGP  (S-BGP).  We  develop  a  sound  program  logic  for  SANDEog  —  a 
declarative  specification  language  for  secure  routing  protocols  —  for  verifying  properties 
of  these  protocols.  We  prove  invariant  properties  of  SANDEog  programs  that  run  in  an 
adversarial  environment.  As  a  step  towards  automated  verification,  we  implement  a 
verification  condition  generator  (VCGen)  to  automatically  extract  proof  obligations. 
VCGen  is  integrated  into  a  compiler  for  SANDEog  that  can  generate  executable  protocol 
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implementations;  and  thus,  both  verification  and  empirical  evaluation  of  secure  routing 
protocols  can  be  carried  out  in  this  unified  framework.  To  validate  our  framework,  we 
encoded  several  proposed  secure  routing  mechanisms  in  SANDLog,  verified  variants  of 
path  authenticity  properties  by  manually  discharging  the  generated  verification  conditions 
in  Coq,  and  generated  executable  code  based  on  SANDLog  specification  and  ran  the  code 
in  simulation.  Work  on  this  area  appeared  in  FORTE  2014. 


3.0  Manpower  training 

We  have  graduated  several  Ph.D.  students  and  postdocs  that  work  on  topics  related  to  this 
grant.  They  include 

•  Anduo  Wang  (Ph.D.  2013,  UIUC  postdoc,  joining  Temple  University  as  Assistant 
Professor  in  January  2015) 

•  Dong  Lin  (Ph.D.  2015,  joined  Google) 

In  addition,  current  4^'’  year  Ph.D.  student  Chen  Chen  also  worked  on  topics  related  to 
this  grant,  and  will  graduate  by  summer  2016. 


4.0  Main  publications  generated  (15  Jun  2012  -  14  Jun  2015) 

Automated  Verification  of  Safety  Properties  in  Declarative  Networking  Programs.  Chen 
Chen,  Lay  Kuan  Loh,  Limin  Jia,  Wenchao  Zhou,  and  Boon  Thau  Loo.  17th  International 
ACM  SIGPLAN  Symposium  on  Principles  and  Practice  of  Declarative  Programming 
(PPDP),  July,  2015. 

A  Scalable  Multi-Datacenter  Layer-2  Network  Architecture.  Chen  Chen,  Changbin  Liu, 
Pingkai  Liu,  Boon  Thau  Loo,  and  Ling  Ding.  Symposium  on  SDN  Research  (SOSR), 
2015. 

Private  and  Verifiable  Interdomain  Routing  Decisions.  Mingchen  Zhao,  Wenchao  Zhou, 
Alexander  J.  T.  Gurney,  Andreas  Haeberlen,  Micah  Sherr,  and  Boon  Thau  Loo 
IEEE/ ACM  Transactions  on  Networking  (ToN),  2015. 

NetEgg:  Programming  Network  Policies  by  Examples.  Yifei  Yuan,  Rajeev  Alur,  and 
Boon  Thau  Loo.  I3th  ACM  Workshop  on  Hot  Topics  in  Networks  (HotNets-XIV), 
2014. 

Diagnosing  Missing  Events  in  Distributed  Systems  with  Negative  Provenance.  Yang  Wu, 
Mingchen  Zhao,  Andreas  Haeberlen,  Wenchao  Zhou,  and  Boon  Thau  Loo. 

ACM  SIGCOMM  Conference  on  Data  Communication,  2014. 

Program  Logic  for  Verifying  Secure  Routing  Protocols.  Chen  Chen,  Limin  Jia,  Hao  Xu, 
Cheng  Luo,  Wenchao  Zhou  and  Boon  Thau  Loo.  A  34th  ILIP  International  Conference 
on  Lormal  Techniques  for  Distributed  Objects,  Components  and  Systems 
(LORTE).  Berlin,  Germany,  2014. 
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A  Reduction-based  Approach  Towards  Scaling  Up  Formal  Analysis  of  Internet 
Configurations.  Anduo  Wang,  Alexander  Gurney,  Xianglong  Han,  Jinyan  Cao,  Boon 
Thau  Loo,  Carolyn  Talcott,  and  Andre  Scedrov.  33rd  Annual  IEEE  International 
Conference  on  Computer  Communications  (INEOCOM).  Toronto,  Canada,  2014. 

Automated  Synthesis  of  Reactive  Controllers  for  Software-Defined  Networks.  Anduo 
Wang,  Salar  Moarref,  Ufuk  Topcu,  Boon  Thau  Eoo  and  Andre  Scedrov.  3rd  International 
Workshop  on  Rigorous  Protocol  Engineering  (WRiPE),  2013. 

Declarative  Platform  for  High-Performance  Network  Traffic  Analytics.  Harjot  Gill,  Dong 
Ein,  Cam  Nguyen,  Tanveer  Gill,  and  Boon  Thau  Eoo.  Cluster  Computing  journal 
(Special  Issue  on  selected  best  papers  of  HPDC  2013),  2014. 

Impact  of  Path  Selection  and  Scheduling  Policies  on  MPTCP  Performance.  Behnaz 
Arzani,  Alexander  Gurney,  Shuotian  Cheng,  Roch  Guerin  and  Boon  Thau  Eoo.  4th 
International  Workshop  on  Protocols  and  Applications  with  Multi-Homing  Support 
(PAMS),  2014. 

A  Formal  Framework  for  Secure  Routing  Protocols.  Chen  Chen,  Eimin  Jia,  Hao  Xu, 
Cheng  Euo,  Wenchao  Zhou,  and  Boon  Thau  Eoo.  USENIX  Symposium  on  Networked 
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